| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Via bug https://bugs.launchpad.net/tripleo/+bug/1657108 we need
to zero out the default rules in /etc/sysconfig/ip{6}tables in
the image.
We have done this for ipv4, but when we will do it for ipv6 we
will also need to make sure we add a rule for dhcpv6 traffic
as it is shipped in the iptables rpm. (See
https://bugzilla.redhat.com/show_bug.cgi?id=1169036 for more info)
With this change we correctly get the rule present (aka the first
ACCEPT line. The second line is due to the stock ip6tables rule
I had in my testing):
[root@overcloud-controller-0 ~]# iptables -nvL |grep 546
[root@overcloud-controller-0 ~]# ip6tables -nvL |grep 546
0 0 ACCEPT udp * * ::/0 fe80::/64 multiport dports 546 /* 004 accept ipv6 dhcpv6 ipv6 */ state NEW
0 0 ACCEPT udp * * ::/0 fe80::/64 udp dpt:546 state NEW
Change-Id: If22080054b2b1fa7acfd101e8c34d2707e8e7864
Partial-Bug: #1657108
|
|
This patch adds support for ip6tables rules in TripleO, in a intuitive
and flexible fashion.
1) Default firewal rules 'source' parameter to undef.
It was 0.0.0.0/0 before but now undef, so we don't need complex logic to
support ipv6 rules. undef will create empty source, which is the same as
0.0.0.0/0 or ::/0.
2) Automatically convert icmp rules to ipv6-icmp for ipv6 rules.
3) Automatically create IPv6 rules like it's for IPv4.
4) Only create rules that can be created, depending on
source/destination ip version.
This patch should be backward compatible and adds a layer of security
for IPv6 deployments. If previous deployments were manually creating
Ipv6 rules, it's possible that this patch will override them. Our
framework is able to configure any rule, so it shouldn't be a problem
for upgrades.
Co-Authored-By: Ben Nemec <bnemec@redhat.com>
Closes-Bug: #1654050
Change-Id: I98a00a9ae265d3e5854632e749cc8c3a1647298c
|
|
This closes CVE-2016-9599.
1) Sanitize dynamic HAproxy endpoints firewall rules
Build the hash of firewall rules only when a port is specified. The
HAproxy endpoints are using TCP protocol, which means we have to specify
a port to the IPtables rules.
Some services don't have public network exposure (e.g. Glance Registry),
which means they don't need haproxy_ssl rule.
The code prepare the hash depending on the service_port and
public_ssl_port parameters and create the actual firewall rules only if
one of those or both parameters are specified.
It will prevent new services without public exposure to open all traffic
because no port is specified.
2) Secure Firewall rules creations
The code won't allow to create TCP / UDP IPtables rules in INPUT
or OUTPUT chains without port or sport or dport, because doing it would
allow an IPtables rule opening all traffic for TCP or UDP.
If we try to do that, Puppet catalog will fail with an error explaining
why.
Example of use-cases:
- creating VRRP rules wouldn't require port parameters.
- creating TCP or UDP rules would require port parameters.
3) Allow to open all traffic for TCO / UDP (when desired)
Some use-cases require to open all traffic for all ports on TCP / UDP.
It will be possible if the user gives port = 'all' when creating the
firewall rule.
Backward compatibility:
- if our users created custom TCP / UDP firewall rules without port
parameters, it won't work anymore, for security purpose.
- if you users want to open TCP / UDP for all ports, they need to pass
port = 'all' and the rule will be created, though a warning will be
displayed because this is insecure.
- if our users created custom VRRP rules without port parameters, it
will still work correctly and rules will be created.
- TCP / UDP rules in FORWARD chain without port are still accepted.
Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59
Closes-Bug: #1651831
|
|
The firewall rule quite reasonably sets up a default state matching rule
but this is invalid for GRE. This patch conditionally adds the state
matching if the protocol is not GRE.
Closes-Bug: #1644360
Change-Id: Ie4ca41d0f36e79ba6822c358e21b827105736dd7
|
|
This patch updates the tripleo::firewall class so that it will
support loading firewall rules defined in composable services
via the following hiera keys (for nova-api for example):
tripleo.nova_api.firewall_rules
This patch relies on a new 'service_names' hiera array that should be
provided on all TripleO overcloud nodes.
Depends-On: I60861c5aa760534db3e314bba16a13b90ea72f0c
Change-Id: Id370362ab57347b75b1ab25afda877885b047263
|
|
The port parameter to puppetlabs-firewall is actually deprecated[1].
This adds support for using the new parameter names dport and sport. The
port parameter is still retained in puppet-tripleo for backwards
compatibily for anyone using that interface. It is marked deprecated in
the documentation, however no deprecation warning is needed because
there is already a warning from from puppetlabs-firewall.
blueprint undercloud-elements
Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
|
|
Specifying a destination cidr is already supported by
puppetlabs-firewall, we just need to pass through the parameter in
rule.pp in puppet-tripleo.
This will allow creating iptables rules that forward network traffic for
a given cidr via puppet-tripleo.
Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
|
|
* Provide a Define function which will allow to manage IPtables rules.
* Manage rules in 'pre' and 'post' Puppet stages, it allows to create
rules before and after regular Puppet stages (ie: to make sure no rule
exists *before* and everything is blocked *after* regular Puppet
stages)
Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89
|
Michele Baldessari
Emilien Macchi
Brent Eagles
Dan Prince
James Slagle